#! /usr/bin/env python

#	Captures all scripts related to the malicious website
#	1) Attempts to identify server side checking by visiting the page with two
#	   different user agents. By using diff() if we detect distinct differences
#	   between the two produced scripts we can assume that the server is checking
#	   user agents. At which point we need to check ALL user agents.
#	   
#	2) For each user agent we will:
#		a) Generate a new JS file in the format: user_agent.js
#		b) Grab all JS from redirected pages (window.location)
#	
#	3) All HTML should be extracted using cURL
#	
#	4) The JS should be extracted recursively. Thus, if we acquire additional redirects
#	   from JS that was extracted from a previous window.location we can proceed to locate
#	   additional paths.
#	   
#	5) For mimicking the plugin, at least in PHoneyC, we can search (regex) for any checks
#	   to navigator.plugins['n'] and extract n. Then prior to processing, add 'n' to our
#	   list of plugins. Alert the user of this change.
#
#	REQUIRED LIBRARIES
#	pyparsing, beautifulsoup


import urllib2
import difflib
import pycurl
import sys
import configuration
from pyparsing import *

# Class used for cURL callback. Strores HTML from the website
class HTML_store:
	def __init__(self):
		self.contents = ''
		
	def body_callback(self, buf):
		self.contents = self.contents + buf

# Visits the given page, grabs the HTML and returns it to the user
def extract_html(URL, user_agent):
	html = HTML_store()
	c    = pycurl.Curl()
	c.setopt(c.URL, URL)
	c.setopt(c.WRITEFUNCTION, html.body_callback)
	c.perform()
	c.close()
	
	return html.contents

# Visits the given page, grabs the HTML, parses the script, and uses
# difflib() to compare the differences. Returns true if the malware is
# checking serverside, false otherwise
def checking_server_side(URL):
	# Retrieve the HTML from the given page
	ie_html = extract_html(URL, 'Internet Explorer')
	ff_html = extract_html(URL, 'Firefox')
	
	# Parse the JS from the page
	ie_js = extract_script(ie_html)
	ff_js = extract_script(ff_html)
	
	# Check the similarities
	similarity = difflib.SequenceMatcher(None, ie_js, ff_js).ratio()
	if similarity < configuration.ACCEPTABLE_SIMILARITY:
		return true
		
	return false

# Given HTML, extracts embedded scripts
# Should also grab all window.location redirects
def extract_script(HTML):
	# Setup PyParsing for <script>
	scriptStart,scriptEnd = makeHTMLTags("script")
	scripts = scriptStart + SkipTo(scriptEnd).setResultsName("body") + scriptEnd
	
	return_script = ''
	
	# Extract all Scripts
	for tokens,start,end in scripts.scanString(HTML):
		return_script += tokens.body + "\n\n"
		
	return return_script
	
# A hook function for interacting with the JS. In this case, the default
# is to compile a local page with the malicious JS and run it through
# PHoneyC to grab additional potential paths in the shellcode
def path_hook():
	pass
